locked
Disable Exchange server 2013 Connectors SMTP response RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi Team,

    Need your help and support to provide a solution to one of our customer, where they raised one security reason for internal SMTP commands or response which is by default enabled on receive connectors in Exchange server 2013.

    As per my client they want to block SMTP response for SMTP internal traffic which means ,The remote SMTP Server accepts the SMTP Commands like HELO, EHLO, STARTTLS, RCPT, DATA etc to protect spamming flow.

    As per my understanding if we are not using any internal relay servers or client which is useing port 25, we can block port 25 from internal network ? please correct if i am wrong.

    Second there is no requirments for blocking response on connectors as we are using only authenticated traffic.

    Please your input will be helpfull.

    Reagrds
    Vbhadauria
    Wednesday, May 3, 2017 5:38 AM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Create a new receive connector on every server of type FrontEndTransport, bound to TCP 25, PermissionGroups set to AnonymousUsers, and RemoteIPRanges set to the IP addresses of the inbound hosts from the Internet.  This will be the connector that accepts anonymous mail from the Internet or whatever servers you have relaying mail to Exchange.  You might need to add the IP addresses of other trusted hosts that need to send anonymous SMTP mail to the RemoteIPRanges of this connector.

    Then look at all your other receive connectors and remove AnonymousUsers from all of them.  This will keep all non-explicitly specified hosts from being able to submit anonymous SMTP mail.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    • Proposed as answer by Niko.Cheng Thursday, May 4, 2017 9:07 AM
    • Marked as answer by vbhadauria Thursday, May 11, 2017 9:05 AM
    Wednesday, May 3, 2017 10:31 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Create a new receive connector on every server of type FrontEndTransport, bound to TCP 25, PermissionGroups set to AnonymousUsers, and RemoteIPRanges set to the IP addresses of the inbound hosts from the Internet.  This will be the connector that accepts anonymous mail from the Internet or whatever servers you have relaying mail to Exchange.  You might need to add the IP addresses of other trusted hosts that need to send anonymous SMTP mail to the RemoteIPRanges of this connector.

    Then look at all your other receive connectors and remove AnonymousUsers from all of them.  This will keep all non-explicitly specified hosts from being able to submit anonymous SMTP mail.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    • Proposed as answer by Niko.Cheng Thursday, May 4, 2017 9:07 AM
    • Marked as answer by vbhadauria Thursday, May 11, 2017 9:05 AM
    Wednesday, May 3, 2017 10:31 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks Ed, We given same input to customer.

    Regards,

    Vbhadauria


    • Edited by vbhadauria Thursday, May 11, 2017 9:07 AM
    Thursday, May 11, 2017 9:06 AM